Ivanti IDAC Add-On for Splunk
Overview
Details
You can ingest block events, shadowing activity, admin actions and agent status updates from IDAC via Windows event logs or json logs. You can view the data using the pre-built dashboards included with the Ivanti Device and Application Control App for Splunk.
This add-on provides the props.conf properties required to parse both json and Windows event log-based inputs to use with the corresponding IDAC Splunk app.
The add-on was developed and tested against IDAC 5.3, but should support ingestion of logs from any version of IDAC that supports SIEM logging using adc_alp_[32|64].dll
Release Notes
Version 1.0.0
May 7, 2020
Initial release
Overview
Ivanti have developed an integration for IDAC and Splunk to provide details of block, shadowing, admin audit and agent check-in activity.
This Technology Add-On (TA) provides the props.conf properties required to parse both json and Windows event log-based inputs to use with the corresponding IDAC Splunk app.
An accompanying app - the Ivanti IDAC App for Splunk (https://splunkbase.splunk.com/app/5533/) provides dashboards that visualise the retrieved data .
Requirements
The add-on was developed and tested against IDAC 5.3, but should support ingestion of logs from any version of IDAC that supports SIEM logging using adc_alp_[32|64].dll
Installation
For ingestion of IDAC event data, install the TA where Splunk will first parse incoming data - heavy forwarders, or indexers if logs are being sent directly from a Splunk Universal Forwarder.
Install the Ivanti IDAC App for Splunk on search heads for dashboards and CIM-compliant field aliases.
Configuration
To enable SIEM logging on the IDAC server, follow Ivanti's documented instructions (https://forums.ivanti.com/s/article/Syslog-and-Windows-Event-Log-redirection-to-a-3rd-party-SIEM?language=en_US) - or the abridged version that follows.
Take the architecture-specific DLL (adc_alp_32.dll or adc_alp_64.dll) from one of the following two locations in the product installation folders, depending on whether you want to log to a flat file (json) or Windows event log ('wel'):
- DeviceAndApplicationControl <n.n>\ext\siem\wel
- DeviceAndApplicationControl <n.n>\ext\siem\json
Copy the relevant DLL to the location where IDAC's service (sxs.exe) is running, for example: c:\windows\syswow64. If using json logging, create a configuration file (example below) and restart the service.
Example configuration file - named adc_alp_<architecture>.config and located in the same folder as adc_alp_[architecture].dll:
{
"folder": "c:\\IDAC_logs",
"filename":
{
"prefix": "IDAC_Log_",
"extension": "json"
}
}
As per Ivanti's documented guidance, 'There is no cleaning done by the DLL, the consumer will need to take care of deleting the files when processed'.
To ingest logs, deploy an inputs.conf to an IDAC server with monitor stanzas for either the Application event log or the file path if using json-based logging. Example (disabled) inputs.conf entries are provided in the TA's /defaults folder, and shown (enabled) below:
[monitor://C:\idac_logs\*.json]
disabled = 0
index = idac
sourcetype = ivanti:idac:json
[WinEventLog://Application]
renderXml = 1
disabled = 0
start_from = oldest
current_only = 0
whitelist = SourceName="idac_siem_sxs"
sourcetype = ivanti:idac:wel
source=ivanti:idac:wel:application
index = idac
Notes: * Ensure that the target index is correct - if 'idac' doesn't exist, then create it or choose a different index. * If already ingesting the Application event log from the IDAC server, the use of transforms.conf may be required on a Heavy Forwarder or indexer to dynamically reassign the sourcetype to ivanti:idac:wel
For further guidance around ingestion refer to the Splunk 'Getting Data In' (https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain) or Cloud-focused GDI documentation (https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/IntroGDI).
Troubleshooting
- Confirm events are being logged locally on the IDAC server. If no event log files (json) or events (Windows event log option) are generated, try using Sysinternals' Process Monitor to confirm adc_alp_*.dll is loaded into sxs.exe. If necessary, engage Ivanti Support.
- Confirm the Splunk Universal Forwarder is installed on the IDAC server, has an inputs.conf stanza configured to monitor the correct json log file location - or the local Application event log.
- Confirm that events are being received by Splunk from the IDAC server - by checking the
_internalindex for values from the IDAC host, if nothing is appearing the IDAC target index
Support
For support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact
Products Supported
- IDAC 5.3 onwards
Authors
Intalock (www.intalock.com.au)
- Greg Ford
Release Notes
Version 1.0.1
v1.0.1
- First release